Threat Intelligence Blog

Interview with Joseph Menn, Author of Fatal System Error

Posted June 2, 2010

Cyveillance recently had the opportunity to interview Joseph Menn, the author of Fatal System Error: The Hunt for the New Crime Lords Who are Bringing Down the Internet, released in January 2010. Menn has reported on security and other technology issues for more than a decade at the Financial Times and the Los Angeles Times, mostly from his base in San Francisco. He is a two-time finalist for the Loeb Award, the most prestigious in financial journalism. Earlier, he won a “Best in Business” award from the Society of American Business Editors and Writers for tobacco coverage at Bloomberg News, where as legal editor he directed stories that revealed the landmark settlement talks between the cigarette companies and the states.

His latest nonfiction book follows two protagonists that were successful in bringing down a small group of cyber criminals. It also highlights the growing threat and active participation of organized crime syndicates in online criminal activity.

Cyveillance asked Menn for some comments on this serious problem.

Cyveillance: Your book covers a time frame from approximately 2000 through 2009. Based on the experiences of the book’s protagonists, what would you say the large scale trends in cyber crime during that time frame are?

Menn: It’s night and day. In 2000, hackers would knock down sites such as eBay and Yahoo for momentary fame. They were isolated teens or those with small circles of like-minded friends. In 2003, the first purely commercial viruses appeared, compromising tens of thousands of machines for illicit purposes. The initial motive for the people in charge was to make money by sending spam from addresses that would evade blacklists, which were growing more effective. But once they had the botnets, they began finding other ways of making money, including denial-of-service attacks for hire. They would take out a sponsor’s competitor for a price at first, but then the criminals became more enterprising and wiped out sites unless they were paid off, a freelance extortion gambit. The same gangs and bots are now engaged in mass identity theft and financial fraud against consumers and small businesses, as well as theft of trade and military secrets. By now, the vast majority of serious cyber crime is mob-related, and more than 90 per cent goes overseas.

Cyveillance: In the book both Barrett Lyon, an American citizen, and Andy Crocker, a British law enforcement officer, experienced frustration with domestic and international law enforcement’s ability to understand and take action against the cyber criminals they faced. Why do you think this is, and has the situation improved? If you think it has not improved, what do you think needs to change in law enforcement to more effectively take on sophisticated cyber crime?

Menn: Cyber crime cases are hard to prove. The Internet might as well have been designed with plausible deniability in mind. And law enforcement cooperation is hard to get even from allies, due to logistical issues, differing priorities and varying laws. But the overarching problem, which nobody in power wants to talk about, is that the worst of the worst are knowingly protected by corrupt governments or those that view the mobsters as intelligence assets or strategic weapons. The enforcement outlook has not improved substantially, while the crime has gotten much worse over the years. Britain, which during the period in the book was well ahead of US efforts overseas, has gone backward with the dismantling of the National Hi-Tech Crime Unit. The only ray of light is that people inside the Obama administration are paying more attention and thinking about the issue.

Cyveillance: How would you describe the connection between the cyber criminals described in your book and with traditional organized crime?

Menn: In Russia, both petty criminals and legitimate business owners typically need a “roof”, or mob patron, to whom they pay tribute in exchange for fending off other criminals and officials looking for bribes. So even independent hacking rings, once they got large, depended on traditional mobsters to perform such services. Once the old mob saw how lucrative Internet crime was, it began taking a more direct supervisory role, as it did with the Russian Business Network in St. Petersburg.

Cyveillance: The criminals in Fatal System Error were largely Russian in origin. What is it about Russia that seems to produce such sophisticated cyber criminals, and do you see that situation improving?

Menn: Russia has had first-rate math and computer education for decades. But there are limited legitimate career opportunities. In addition, crime isn’t viewed through the same moral lens we have in the West, it just isn’t seen as that bad a choice. The corruption is staggering. And now it is even worse, because the major criminal hacking groups have protection from intelligence and military wings of the national government. The same people are being used to attack Kremlin enemies, both internally and externally, including government and media sites in countries such as Estonia and Georgia.

Cyveillance: Based on your book’s findings and other accounts, there appears to be casual if not formal links between the Russian government and the online criminal enterprise known as the Russian Business Network. While botnets that are under the control of groups like the RBN are harmful by definition, is it your belief that the weaponization of criminal resources reportedly found here is an isolated incident, or is this a growing risk from other governments?

Menn: It is a pattern that is spreading. The second most serious threat comes from China. Hacking there has evolved the other way, beginning with state-sponsored and patriotic attacks and now with a major profit motive as well. Criminal outfits with bot networks may look for personal financial data first, but they share commercial and military goodies with the officials who protect them.

Cyveillance: If there is one lesson from Fatal System Error, what is it?

Menn: The internet as we have come to use it–for financial and business activities–cannot survive without drastic action that is highly unlikely to occur. We need to make the protection of criminals a major diplomatic priority, and we need massive funding for an opt-in protocol more secure than TCP/IP.

Cyveillance: Thank you for your time. Any other thoughts you would like to add?

Menn: I’ve covered cybersecurity for almost a dozen years at major newspapers. Since 2004, I’ve been convinced the topic needed a thorough but also entertaining book on the subject. I got very lucky in finding heroes like Barrett, who infiltrated both Russian and Gambino cyber-mob operations, and Andy, who was nearly killed while conducting the most successful West-Russian collaborative prosecution of hackers in history, yet had never told his story. With the New Yorker comparing Fatal System Error to Stieg Larsson’s trilogy and Slashdot saying it’s on par with The Cuckoo’s Egg, I feel I accomplished what I set out to do.